Digital information has become extremely important in all aspects of commerce, education, government, entertainment and management. In many of these applications, the ability to ensure the privacy, integrity and authenticity of the information is critical. As a result, several digital security mechanisms have been developed to improve security.
One standardized approach to today's digital security is referred to as the Public Key Infrastructure (PKI). PKI provides for use of digital certificates to authenticate the identity of a certificate holder, or to authenticate other information. A certificate authority (CA) issues a certificate to a certificate holder and the holder can then provide the certificate to a third party as an attestation by the CA that the holder who is named in the certificate is in fact the person, entity, machine, email address user, etc., that is set forth in the certificate. And that a public key in the certificate is, in fact, the holder's public key. People, devices, processes or other entities dealing with the certificate holder can rely upon the certificate in accordance with the CA's certification practice statement. A certificate is typically created by the CA digitally signing, with its own private key, identifying information submitted to the CA along with the public key of the holder who seeks the certificate. A certificate usually has a limited period of validity, and can be revoked earlier in the event of compromise of the corresponding private key of the certificate holder, or other revocable event. Typically, a PKI certificate includes a collection of information to which a digital signature is attached. A CA that a community of certificate users trusts attaches its digital signature and issues the certificates to various users and/or devices within a system.
Network-enabled devices are generally provisioned at the factory with identity data so that they may communicate with other network-enabled devices in a secure manner using an identity data system. The identity data typically includes a public and private key pair and a digital certificate. Illustrative examples of networked-enabled device include, without limitation, PCs, mobile phones, routers, media players, set-top boxes and the like.
The identity data may be provisioned in network-enabled devices at the time of manufacture. This can be a difficult and complex process for a number of reasons. For instance, traditional identity data include a limited number of attributes such as those specified by X.509, but typically do not include many product specific details such as a product name, model name and chip ID. However, identity data end users, such as device manufacturers, application providers or industry consortiums, are now more often requesting the inclusion of additional product details, attributes and attribute values in their identity data. These additional attributes and attribute values along with product and device specific details which are to be included in the identity data during the identity data generation, distribution and manufacturing process, are typically unique per product and device. Therefore, it can be difficult to manage these processes when there are a large variety of products. In particular, this becomes even more difficult when a manufacturer produces many different product lines and many different models within each product line. Moreover, these products may be produced at many different manufacturing facilities that are not necessarily co-located with one another, and which in fact may be located on different continents. These attributes and attribute values are incorporated into the identity data records that are eventually provisioned in the devices. This process of generating, managing and tracking all this data for each and every product is a challenging task that can become overwhelming difficult.